Cyber Losses Testing Insurance Policy Boundaries

April 13, 2017 by

Now that cyber attacks and data breaches have become common, insurers and risk managers are struggling to assign the resulting costs and losses among different types of insurance.

On the one hand, there are traditional property and liability policies that cover first- and third-party losses in well-established categories, such as commercial crime, personal injury, errors and omissions, and so on.

On the other hand, there has been a rapid emergence of “cyber-insurance” policies that combine coverage for certain costs in responding to an incident, along with the specialized services for executing the response, according to panelists at the recent 2017 Cyber Liability Symposium of the Professional Liability Underwriting Society (PLUS) in Chicago.

A leading example of the encounter of traditional and cyber losses are the cases where companies have funds, data, or intellectual property stolen by computer hackers.

“Cyber policies typically exclude coverage for theft losses,” said Matt Danielak, ‎a specialist in professional, security, privacy and media liability for Willis Towers Watson. “Commercial crime policies typically cover theft and pay for funds lost, but don’t provide the [consulting] resources to mitigate cyber-fraud.”

Similarly, he said, professional firms, such as law firms, typically rely on professional liability policies to cover any liability they may incur from lapses in their performance. However, he added “E&O [errors and omissions] policies don’t provide the utilities and resources they need” to protect themselves from cyber liability.

In light of the coincidence of cyber and traditional losses, insurers and risk managers are asking whether it is more efficient to assign all losses arising from network breaches or failures to cyber policies.

Members of one panel at the PLUS Cyber Liability Symposium noted the recent emergence of “single-peril” cyber policies that cover, among other things, an insured’s liability for third-party bodily injury and property damage arising from a cyber incident.

“Basically, this is cyber insurance coverage on steroids,” said Stephanie Snyder, national cyber sales leader for Aon, and a member of the panel. “It includes cyber coverage that is expected to respond to physical property damage, products liability, and bodily injury.”